Nissan Gives Up Root Shell Thanks To Hacked USB Drive

January 30, 2021 by Tom Nardi 46 Comments

For the impatient Nissan owners who may be joining us from Google, a hacker by the name of [ea] has figured out how to get a root shell on the Bosch LCN2kai head unit of their 2015 Xterra, and it looks like the process should be the same for other vehicles in the Nissan family such as the Rogue, Sentra, Altima, and Frontier. If you want to play along at home, all you have to do is write the provided image to a USB flash drive and insert it.

Now for those of us who are a more interested in how this whole process works, [ea] was kind of enough to provide a very detailed account of how the exploit was discovered. Starting with getting a spare Linux-powered head unit out of a crashed Xterra to experiment with, the write-up takes the reader through each discovery and privilege escalation that ultimately leads to the development of a non-invasive hack that doesn’t require the user to pull their whole dashboard apart to run.

The early stages of the process will look familiar to anyone who’s messed with embedded Linux hacking. The first step was to locate the board’s serial port and connect it to the computer. From there, [ea] was able to change the kernel parameters in the bootloader to spawn an interactive shell. To make things a little easier, the boot scripts were then modified so the system would start up an SSH server accessible over a USB Ethernet adapter. With full access to the system, the search for exploits could begin.

A simple script on the flash drive enables the SSH server.

After some poking, [ea] discovered the script designed to mount USB storage devices had a potential flaw in it. The script was written in such a way that the filesystem label of the device would be used to create the mount point, but there were no checks in place to prevent a directory traversal attack. By crafting a label that read ../../usr/bin/ and placing a Bash script on the drive, it’s possible to run arbitrary commands on the head unit. The provided script permanently adds SSHd to the startup process, so when the system reboots, you’ll be able to log in and explore.

So what does [ea] want to do with this new-found exploit? It looks like the goal is to eventually come up with some custom programs that extend the functionality of the in-dash Linux system. As it seems like these “infotainment” systems are now an inescapable feature of modern automobiles, we’re certainly excited to see projects that aim to keep them under the consumer’s control.

Exploring The Dell N1108T-ON Ethernet Switch

June 17, 2019 by Tom Nardi 24 Comments

In an era where everything seems to be getting “smarter” every year, it will probably come as no surprise to find that even relatively middling networking hardware is now packing advanced features and considerable computational power. A case in point is the Dell N1108T-ON Ethernet switch. Despite only costing around $100 USD on the second hand market, [Ben Cox] discovered this particular switch was capable of a lot more than what was advertised by poking around its onboard operating system.

It all started by plugging into the serial port on the front of the switch, which [Ben] happily notes is an integrated FTDI USB serial adapter to make life easy. Booting into recovery mode gave him local shell access, and some poking around determines it’s the sort of BusyBox-powered Linux system that you’d expect on an embedded device. The biggest discoveries were that it was running a relatively recent kernel (3.8.1), and that it apparently had Python installed.

From there, [Ben] found out that these switches have a feature where the administrator can install and run Python “applications” by packaging them up as tarballs and copying them from a USB flash drive. So he wrote up a simple Python program that used the socket library to open up a reverse shell to his desktop computer, and to his surprise, it worked perfectly on the first try. Now with root access, the fun really started.

The next step was getting an SSH installed and running on the switch, so that he didn’t have to do the reverse shell trick every time. He then started installing the packages necessary to turn the switch into a secure VPN tunnel with Wireguard. This took a little fiddling as [Ben] didn’t have the option of installing the normal Wireguard kernel module, but he eventually got the necessary tools modified and cross-compiled to ARM. He believes this is just the start of what’s capable on devices like this, and we’re interested in seeing where the community goes from here.

We’ve seen hackers add management capability to a “dumb” unmanaged switch in the past, but software modifications like this promise to make the creation of custom, secure, networks far easier even on a hacker’s budget. A lot has certainly changed since the last time we saw somebody really dive into a professional Ethernet switch.

Rigol MSO5000 Hacked, Features Unlocked

December 19, 2018 by Eric Evenchick 103 Comments

Rigol’s test gear has something of a history of being hacked. Years ago the DS1022C oscillocope was hacked to increase bandwidth, and more recently the DS1054Z was hacked to unlock licensed features. Now, it’s the MSO5000’s turn.

Over on the EEVBlog forums a group has been working on hacking another Rigol, the MSO5000, a 70 MHz oscilloscope which can be upgraded to 350 MHz via software licensing. Various other features including a two channel, 25 MHz arbitrary waveform generator are also built-in, but locked out unless a license key is purchased. The group have managed to enable all the locked options without license keys.

The hack is quite simple. The Linux system running on the scope has a default root password of, you guessed it, “root”. After logging in over SSH with these credentials, the user just needs to modify the startup file to add the “-fullopt” flag to the “appEntry” application. This starts the application in a fully unlocked state, which gives access to all the features.

The MSO5000 costs about $1000, and the bandwidth option alone adds over $3000 to the price. If you’re willing to risk your warranty, and you have the skills to edit a file with vi, this hack provides a serious upgrade for free.

If you have a DS1022C you’ll find our reporting on its hack here, and likewise DS1054Z owners will find theirs here.

Header image: EEVBlog.

Rooting The Amazon Fire TV Cube With An Arduino

November 7, 2018 by Tom Nardi 11 Comments

Amazon might not be happy about it, but at least part of the success of their Fire TV Stick was due to the large hacking and modification scene that cropped up around the Android-powered device. A quick search on YouTube for “Fire Stick Hack” will bring up a seemingly endless array of videos, some with millions of views, which will show viewers how to install unofficial software on the little media dongle. Now it looks like their latest media device, the Fire TV Cube, is starting to attract the same kind of attention.

The team at [Exploitee.rs] has recently taken the wraps off their research which shows the new Fire TV Cube can be rooted with nothing more than an Arduino and an HDMI cable you’re willing to cut apart. Of course, it’s a bit more complicated than just that, but between the video they’ve provided and their WiKi, it looks like all the information is out there for anyone who wants to crack open their own Cube. Just don’t be surprised if it puts you on the Amazon Naughty List.

The process starts by putting the device’s Amlogic S905Z into Device Firmware Upgrade (DFU) mode, which is done by sending the string “boot@USB” to the board over the HDMI port’s I2C interface. That’s where the HDMI cable comes in: you can cut into one and wire it right up to your Arduino and run the sketch [Exploitee.rs] has provided to send the appropriate command. Of course, if you want to get fancy, you could use an HDMI breakout board instead.

With the board in DFU mode in you gain read and write access to the device’s eMMC flash, but that doesn’t exactly get you in because there’s still secure boot to contend with. But as these things tend to go, the team was able to identify a second exploit which could be used in conjunction with DFU mode to trick the device into disabling signature verification. Now with the ability to run unsigned code on the Fire TV Cube, [Exploitee.rs] implemented fastboot to make it easier to flash their custom rooted firmware images to the hardware.

As with the Fire TV Stick before it, make sure you understand the risks involved when you switch off a device’s security features. They’re often there to protect the end user as much as the manufacturer.

Continue reading “Rooting The Amazon Fire TV Cube With An Arduino” →

Hacker Pops Top On NFC Vending Machines

October 16, 2018 by Tom Nardi 23 Comments

Vending machines used to be a pretty simple affair: you put some coins in, and food or drink that in all likelihood isn’t fit for human consumption comes out. But like everything else today, they are becoming increasingly complex Internet connected devices. Forget fishing around for pocket change; the Coke machine at the mall more often than not has a credit card terminal and a 30 inch touch screen display to better facilitate dispensing cans of chilled sugar water. Of course, increased complexity almost always goes hand in hand with increased vulnerability.

So when [Matteo Pisani] recently came across a vending machine that offered users the ability to pay from an application on their phone, he immediately got to wondering if the system could be compromised. After all, how much thought would be put into the security of a machine that basically sells flavored water? The answer, perhaps not surprisingly, is very little.

The write-up [Matteo] has put together is an outstanding case study in hacking Android applications, from pulling the .apk package off the phone to decompiling it into its principal components with programs like apktool and jadx. He even shows how you can reassemble the package and get it suitable for reinstallation on your device after fiddling around with the source code. If you’ve ever wanted a crash course on taking a peek inside of Android programs, this is a great resource.

By snooping around in the source code, [Matteo] was able to discover not only the location of the encrypted database that serves as the “wallet” for the user, but the routine that generates the encryption key. To cut a long story short, the program simply uses the phone’s IMEI as the key to get into the database. With that in hand, he was able to get into the wallet and give himself a nice stack of “coins” for the next time he hit the vending machines. Given his new-found knowledge of how the system works, he even came up with a separate Android app that allows adding credit to the user’s account on a rooted device.

In the video after the break, [Matteo] demonstrates his program by buying a soda and then bumping his credit back up to buy another. He ends his write-up by saying that he has reported his findings to the company that manufacturers the vending machines, but no word on what (if any) changes they plan on making. At the end of the day, you have to wonder what the cost-befit analysis looks like for a full security overhaul when when you’re only selling sodas and bags of chips.

When he isn’t liberating carbonated beverages from their capitalistic prisons, he’s freeing peripherals from their arbitrary OS limitations. We’re starting to get a good idea about what makes this guy tick.

Continue reading “Hacker Pops Top On NFC Vending Machines” →

Mechanisms: The Screw Thread

February 1, 2018 by Dan Maloney 65 Comments

They hold together everything from the most delicate watch to the largest bridge. The world is literally kept from coming apart by screws and bolts, and yet we don’t often give a thought to these mechanisms. Part of that is probably because we’ve gotten so good at making them that they’re seen as cheap commodities, but the physics and engineering behind the screw thread is interesting stuff.

We all likely remember an early science lesson wherein the basic building blocks of all mechanisms laid out. The simple machines are mechanisms that use an applied force to do work, such as the inclined plane, the lever, and the pulley. For instance, an inclined plane, in the form of a splitting wedge, directs the force of blows against its flat face into a chunk of wood, forcing the wood apart.

Screw threads are another simple machine, and can be thought of as a long, gently sloped inclined plane wrapped around a cylinder. Cut a long right triangle out of paper, wrap it around a pencil starting at the big end, and the hypotenuse forms a helical ramp that looks just like a thread. Of course, for a screw thread to do any work, it has to project out more than the thickness of a piece of paper, and the shape of the projection determines the mechanical properties of the screw.

Continue reading “Mechanisms: The Screw Thread” →

Down The Rabbit Hole And Back Out Again: Serial Over Headphone Jack

October 21, 2016 by Elliot Williams 14 Comments

[ttsiodras] tells an epic tale of getting a custom Debian kernel installed on an Asus MemoPAD (ME103K) tablet. Skipping to the end of the saga, he discovers what looks like serial data coming out on the headphone jack when the system boots, but the signal was so distorted that he couldn’t simply interpret it. The solution turns out to be attaching a level-converter chip.

A level converter is a non-inverting amplifier, usually with a Schmitt trigger for immunity against noise. In this case, it acts like a “binarizer” — outputting a high voltage when the input rises above a threshold, and a low when it drops below. It’s the right part when you need to clean up a messy digital signal, and in this case works just fine because the capacitive distortion effects slow down both the leading and trailing edges of the signal, keeping the serial data’s timing intact.

That was the spoiler. If you want to read up on putting a custom Linux on an Android device, check out [ttsiodras]’s first post where he backs the machine up, and the second where he gets his custom kernel up and running. If you’re ever faced with an Android tablet that hasn’t been owned yet, or if you just have a DIY streak, this should help you get started.

Using the audio jack for serial is actually not uncommon, and discovering a serial terminal that listens at boot time is our favorite way to wedge a Linux OS into odd devices. So when you see a funny, distorted signal coming out at 115,200 baud, take a moment to clean its edges up and see what you’ve got.